CVE-2025-11855 is a critical security vulnerability identified in the WordPress age-restriction plugin versions through 3.0.2. The root cause is improper privilege management (CWE-269) in the function age_restrictionRemoteSupportRequest, which does not enforce authorization checks. This allows any authenticated user, including those with minimal privileges such as subscribers, to invoke this function and create a new administrator account with a hardcoded username and an attacker-chosen password. The vulnerability effectively bypasses WordPress's role-based access control, granting an attacker full administrative control over the affected site. The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector (remote exploitation), low attack complexity, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the ease of exploitation and the severity of impact make this a critical risk for affected sites. The vulnerability is particularly dangerous because it can be exploited by any authenticated user, which is a common state for many WordPress sites allowing user registrations or memberships. No official patches or updates have been released at the time of this report, increasing the urgency for mitigation. The vulnerability was reserved and published in late 2025, indicating recent discovery and disclosure.

The vulnerability allows attackers with minimal privileges to escalate to full administrator rights, leading to complete site takeover. This compromises the confidentiality of sensitive data stored or processed by the WordPress site, including user information and content. Integrity is severely impacted as attackers can modify site content, inject malicious code, or alter configurations. Availability can also be disrupted through destructive actions or backdoors. Organizations relying on the age-restriction plugin face risks of defacement, data breaches, unauthorized access to backend systems, and potential pivoting to other internal resources. The attack requires only authenticated access, which is often easy to obtain on many WordPress sites that allow user registrations, increasing the attack surface. The lack of known exploits in the wild currently limits immediate widespread damage but also means defenders must act proactively. The vulnerability undermines trust in affected websites and can lead to reputational damage, regulatory penalties, and financial losses.

Until an official patch is released, organizations should take immediate steps to reduce risk. First, restrict or disable user registrations or limit them to trusted users only. Review and audit all user accounts for suspicious or unauthorized administrator accounts. Temporarily disable or uninstall the age-restriction plugin if feasible. Implement strict monitoring and alerting for new administrator account creations and unusual privilege escalations. Employ Web Application Firewalls (WAFs) with custom rules to block requests to the vulnerable function or suspicious POST requests related to the plugin. Harden WordPress installations by enforcing strong authentication mechanisms such as multi-factor authentication (MFA) for all administrator accounts. Regularly back up site data and configurations to enable rapid recovery if compromise occurs. Stay informed on vendor updates and apply patches immediately once available. Consider isolating critical WordPress instances behind VPNs or IP whitelisting to limit access to authenticated users only. Conduct penetration testing focused on privilege escalation vectors to identify any other weaknesses.